I have a website with API. Created 2 instances for web UI and 2 instances for web API. I wanna create ELB for web UI instances. Which one do I need to create? application, network or classic? All traffic must be secure (SSL/https). web UI instances with IIS. Should have a lot of domain and subdomain with SSL.
Second question: I need ELB with a secure connection. So I wanna create a certificate on Amazon. When I create cert amazon asked which domain I have. But it will be ELB with DNS name for example myELBAFwEGewff.aws2.com. If I will have a lot of domains on IIS how ELB will be work?
AWS ELB does not play nicely with endpoints outside of their infrastructure. Where you have the stuff on IIS, you would need to leverage a vendor-agnostic load balancing solution.
Created Application Load balancer.
Created 2 machines for UI and 2 for API.
ALso setup SSL for domail and setup route for machine and subdomains.
Didn't create https on IIS. Just created 443 on balancer and 80 on ec2.
Everything works fine.
Related
I Would like to understand what is the difference between WAF, Security Group, and a routing table.
Let's say I have a VPC, 2 subnets (a private one) and I want to deploy a web application (UI and backend service and a database (RDS)), In this scenario where does WAF and security groups come into the picture.
Can someone help me to understand a use case?
HTTP protocol is built on top of the TCP protocol.
WAF inspects the HTTP traffic before it reaches your web application in order to block malicious web traffic.
In order to implement WAF in front of a containerized application (running on ECS for example) or in front of an application running on EC2 you should use an Application Load Balancer in front of the application servers and associate the WAF with that load balancer.
If your application runs on Lambda you can do the same but using API Gateway.
A Security Group accepts or blocks networking protocols such as TCP, UDP, ICMP - based on ports. Open up port 443 and 80 if you want to expose your web application.
Routing tables should be associated with your subnets so that the network traffic (TCP) can knows where to go.
Best practice is to put your application servers and databases in private subnets (with routing tables that does not route traffic from the Internet) and then put e.g Application Load Balancer in the public subnets in order to accept traffic from the Internet and route it to your private subnets.
I am trying to use the AWS application load balancer in my application with WAF support in it. At the same time, I also need support for reverse proxy. Does the AWS application load balancer handle reverse proxy?
Not sure if we talk about the same thing, but in my understanding, AWS ALB's are reverse proxy servers.
You add your actual application server(s) in a targetgroup to an ALB listener, and then, external clients connecting to the ALB over http/https will see your application as if it was served by the ALB.
You can add HTTP request filtering to the ALB listener, so you can configure which requests go to which targetgroup, both by domain name and http paths.
ALB's also do SSL offloading, i.e. it handles https handshakes with a server certificate registered in the ALB, so your own application server doesn't need to do that anymore.
No, it can't.
To do reverse proxy in AWS, you can set a NAT Gateway in your VPC. This way, all connections from your servers to a specific IP (or the public internet) will be a single IP.
I have a website that I have hosted on an EC2 instance that runs on port 3000. (e.g. 3.27.83.19:3000 - assuming the IP address of the EC2 instance is 3.27.83.19)
I have a domain that I have already bought mydomain.com through AWS that I already see in Hosted Zones.
How can I set-up Route53 so that when someone hits "mydomain.com", it takes them to 3.27.83.19:3000 rather than 3.27.83.19
Thanks!
point domain to instance ip
To point example.com to 3.27.83.19 you simply need to create an A record in route53
point domain to load balancer
To access the website running port 3000 on an EC2 instance through https://example.com, you need a service that accepts traffic on https://example.com and then forward the traffic to the EC2 instance on port 3000. You can easily do it with an AWS application load balancer. I like this approach.
There are many benefits using an application load balancer. The important one is that you can configure the SSL certificate easily. The application load balancer also supports host based routing which allows you to host multiple websites.
If you are looking for less expensive solutions, you can also go for setting up an nginx proxy inside the ec2 instance. I personally don't like this approach because you will need to configure SSL at the application level.
https://aws.amazon.com/premiumsupport/knowledge-center/public-load-balancer-private-ec2/
Hope this helps.
Say I have an AWS ec2 instance that is running a python application on a certain port say 8000. Also imagine I have a domain name say www.abcd.com that I own. What does it take to make my website use https and securely redirect to the app on my ec2 that is listening on port 8000? Is this even possible to do or do I need something like nginx in between?
Firstly you will need to ensure that your EC2 is in a public subnet with a public IP, it will also need its security group open on whatever port you are hitting it on (8000). At this point you should be able to hit your application on public ip:port.
Now if you want to do the above while using a domain you will want to use AWS's Route 53 service. From this you can create a DNS routing using your domain. You will want to create a route from: application.example.com to your instances public ip. After doing so you should be able to visit: application.example.com and hit your application. In doing the following it is possible now to make your EC2 instance private.
Now if you wish to include HTTPS ontop of this, the best way would be to create a public load balancer with a certificate attached, this would accept HTTPS traffic from your user, then forward that traffic over HTTP to your EC2 on a selected port (8000).
After doing this you will want to change your Route53 entry to point to your load balancer instead of directly at your EC2.
Yes, it is totally possible.
Here is step wise procedure to do it :-
you need to create hosted zone on Route-53 services of amazon
Then it use ns to connect with your domain ( wherever you have registered)
Then you need to connect your ec2 instance ip with your hosted zone
Now you can access your ec2 instances using this domain, but it will be not https
For https, you need certificate, which you can avail from aws certificate-manager
After obtaining the certificate, Follow the steps from this blog How to set up HTTPS for your domain on AWS.
NOTE:- This is just uber point, follow it and look for more insight to how you exactly do it in your case. I followed this step while deploying using elastic-beanstalk.
If I would like to expose a web-app to external internet what steps I need to follow in aws?
Create cloudfront or static ip or route 53? Not sure what needs to
be exposed
Create WAF?
Create ELB?AWS ELB or nginx
Enforce https through webserver?
Any other requirements please point me through?
Route53 is not a requirement at all. You can use Route53 for DNS, or you can use a third-party DNS service, or you can just use a static ip (AWS Elastic IP).
WAF is not needed just for exposing an API.
ELB is only needed if you are running this on multiple servers.
You could enforce HTTPS at the web server, or you could just leave port 80 closed and only open port 443.
At an absolute minimum you just need to deploy your application to an EC2 server, open the appropriate port(s) in the Security Group, and assign the server an Elastic IP.